Second place in the Throwdown went to M.A.D. (Mobile Application Development) Partners for its Mobile Active Defense platform. The company's Mobile Enterprise Compliance and Security (MECS) Server v1.1 is a device, virtual device or SaaS offering that controls access to applications for smartphones. The position of M.A.D.'s founders when they started the company three years ago was that application stores are the largest single malicious software delivery mechanism in the world. That position has not changed, but the ability of companies that have smartphone users to protect their enterprises has. Our judges were just M.A.D. enough to give this company the thumbs-up for second place.
According to M.A.D., there are two approaches to dealing with apps: the so-called BlackBerry approach (basically the phone as a dumb terminal) and the sandbox approach. The trouble with the latter is that the user can bypass the sandbox by turning it off because it, itself, is an app. And, of course, jailbreaking is a common practice and that also opens these devices up to a variety of security problems, most of which are application-borne.
So what is needed, the partners reasoned, was an approach that amounts to a network access control (NAC) system for applications. And that, basically, is what the MECS server is. MECS targets Apple devices, Droid-based devices, Windows Mobile 6.1 and 6.5, and Symbian-based products. BlackBerry already is, arguably, the most natively secure.
If one is downloading a computer application to a PC on the organization's enterprise, the user would need permission to load it into their computer. That permission usually is not granted lightly, and most users do not have administrator rights on company PCs. M.A.D. figures that smartphones should be no different. But achieving this control had to be easy. The MECS server does the trick.
First, the MECS server configures just like a firewall, so system administrators already know how to set it up. Second, smartphone users must go through the MECS Server to access the internet. When the smartphone tries to access the internet, it sets up a VPN to the MECS server. That server can reside physically at the organization or it can manifest as a SaaS service in the cloud. If the site that the smartphone wants to browse is allowed by the MECS Server's policy, the connection is made.
Often an organization will want to accommodate private email accounts, such as Gmail or Yahoo for users. M.A.D. has a private email server to which the MECS Server can direct users for that purpose while still protecting the enterprise from infection, compromise or misbehaving applications. MECS Server encrypts all traffic between the phone and the server and offers content filtering and geolocation-based firewall rules. The firewall rules and configuration are not just for look. In fact, MECS includes a full stateful inspection firewall, content filtering and blacklists and whitelists.
Management is easy and users can create policies to control and enforce passwords while permitting access to such things as iTunes and YouTube. There is a wipe feature so that if the smartphone is stolen it can be wiped remotely preventing unauthorized access by unknown third parties.
Pricing for the MECS Server is very flexible. For smaller organizations, the SaaS model probably is appropriate.
So when your organization starts to use smartphones, be aware of the risks of apps. Implement a NAC for apps to protect your organization from compromise through these very powerful devices. And, you knew this was coming, didn't you? Don't get mad, get M.A.D. MECS Server.